Can anyone give me a compelling reason why you would want to buy a commercial IDP box like a Juniper IDP250 instead of just using Suricata or Snort in IDP mode? The Juniper products seem to have a bunch of marketing speak and outside of maybe quicker rules updates, I cant find a reason why you would buy one.

Does anyone have any practical experience the Juniper line? Are they worth a damn?

I'm 80% Juniper down in my shop but also use both Snort and Suricata equally. It all boils down to time because time = money. With Juniper and other commercial products, there are dedicated people working non-stop on the devices. This gives you some level of confidence that signatures are as up-to-date as possible whereas with Snort and Suricata, you're at the mercy of the community and yourself.

We'll start with the community. No big secret about zealotry: Suricata forked from Snort, OpenVAS forked from Nessus and the lineage goes back dozens of years. In the open source realm, there are and have been a lot of cool projects often messed up by individuals themselves. Snort and the IDP/IPS is nothing new. Marcus Ranum had the excellent NFR, Ron Gula had the excellent Dragon. There was Emerald and a bucketload of cool tools that were effective. Ask yourself: "Where are they now?" This is the problem with open source and the likes. Whereas with say a vendor, Juniper, Tipping Point, when you need something, a call or a ticket WILL get you results without the headaches of jumping on IRC or a mailing list.

Let's move on to you (not you per-se but the individual running the IDP/IPS). How good is your packet fu, reversing skills, AV detective skills and so on? Do you think you could create say 1,000 signatures per day to keep up with the threat? Because the big boys (Juniper, Tipping Point, etc.) have the visibility, you can have some form of relief that there are dozens maybe hundreds of people actively working on a collected source of data versus anything you could whip up.

So ask yourself, do you want to spend the money (time) running around on IRC, mailing lists, waiting for community volunteers to make signatures or would you rather have it done for you and save yourself the headache and money (time).

The Juniper products seem to have a bunch of marketing speak and outside of maybe quicker rules updates

This gives you some level of confidence that signatures are as up-to-date as possible whereas with Snort and Suricata, you're at the mercy of the community and yourself.

I don't agree that you are guaranteed to receive quicker quicker updates from a commercial solution, you can write your own rules with open solutions. Yeah, maybe you cannot equal the volume of rules produced by a whole team dedicated to that effort. Or for example, a solution like Tipping Point benefits from a program like ZDI in a way they can offer protection against 0-day vulns sooner. But how can you be sure those rules are effective enough? Once you learn what exactly the rule is proptecting you from, you may bypass it (I've done it a couple of time), so you are at the mercy of the vendor to fix/tune up those rules, while with the open solutions you can do it by yourself.

Excellent point Sil. It also helps when you want to sell a product to management. Most managers and CFO types will see the cost of say a Juniper or Tipping Point and say

"hey isn't there some free opensource product we can use??"

And you, being the person who would have to manage that, could say

"well we can, but we will need to hire a person to maintain and monitor this device and we will have to pay that person 75-85K a year plus benefits. Also if the system breaks we will have to wait for someone on the interwebs to come up with a solution. Oh yeah and if the device goes down we will not have internet access since it sits between our firewall and internet modem." :D "So lets spend the 25-40K for a supported solution and if anything goes wrong we could call the 24/7 support line and open a ticket with a 4 hour or less response."

As a geek though, well yeah we want to play with the opensource and figure out the inner workings and even get the direct exposure to discover a new threat not seen before. But then that is for our home labs and not for the business.

Nah @ complaints for Juniper. At least for me there isn't. There may be a slight learning curve, but that's a given for most technologies and applications when they're new. Suricata indeed is kick ass cool however, there are pros and cons which would hinder me from getting a client to agree to deploy it. Imagine having a client in Asia right now and you're telling them you want to deploy Suricata. They'd shoo you out of their office. "part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR)" It's just the way it is.

Back in the daze (not a typo ) EMERALD (http://www.csl.sri.com/projects/emerald/project.html) was the de-facto must have. Around this time, there was also a lot of funny stuff going on where the unofficial (don't ask don't tell) policy/theory was: "man as nice as that is you DON'T WANT to run it on your network." Just saying At the end of the day, I will run what my client wants me to or what I feel works best. For me cost wise, is Juniper "Set it forget it" versus: "Set it up, apt-get build bunch_o_crap or pkg_add will_this_work && ./Bitch -n sil irc.somewhere.net to get help.

Below are some tried and true links with information for EMERALD and similar systems (C-SCIDS), etc.

mambru wrote:I don't agree that you are guaranteed to receive quicker quicker updates from a commercial solution, you can write your own rules with open solutions. Yeah, maybe you cannot equal the volume of rules produced by a whole team dedicated to that effort. Or for example, a solution like Tipping Point benefits from a program like ZDI in a way they can offer protection against 0-day vulns sooner. But how can you be sure those rules are effective enough? Once you learn what exactly the rule is proptecting you from, you may bypass it (I've done it a couple of time), so you are at the mercy of the vendor to fix/tune up those rules, while with the open solutions you can do it by yourself.

Mambru, a lot of the commercial guys criss-cross through other vendors like Arbor-Networks, Shadowserver, etc., to get data from. They have entire departments to do so. I can guarantee you that unless a company like Arbor-Networks decided to do something pro-bono, the signatures on say Juniper or Tipping Point would likely Eclipse those found on say BleedingEdge's alerts. You also have to remember, how many Fortune 500s or better are running Suricata versus Jun or Tipping. Collective-wise, you'd be better off with Juniper to save money and time. LEARNING WISE you'd be better off with Suricata however, in a REAL TIME mission critical, an environment is at the mercy of the admin understanding A LOT. This includes exploits, attack sources, destinations, etc., which is a lot to rely on from one person. In a small environment sure, +50 machines I wouldn't waste my time.

From 2009: 80% of Fortune 100, 42% of Global 500 used Snort (can we trust this numbers?). Not a bad number for an open solution. Of course Suricata does not have a percentage like those since it's been only one year since the release of the first stable version, hopefully one day it will be there

If you want to rely on a commercial service to receive rules, you have Emerging Threat Pro and VRT. Appliances? Bivio and NPulse are selling them with implementations of Suricata, just like Sourcefire does with Snort. I understand that companies most of the time would rather to have a big player backing them up. I just don't think that commercial solutions are always better than free ones.

Well, I tried to answer this from the professional perspective, not taking into consideration the "hacker" role. Suricata and Snort offer more granularity than Juniper in a different way. If you're in an environment that you're allowed to mix and match your own lab based learning/techniques into the overall security equations, there is a lot more you can do for the "hacker" factor.

For example, Juniper and others will usually give you an appliance. It is usually going to be a variant of Linux (embedded or otherwise) in the case of Juniper, expect a modified BSD. You WON'T be able to do much on the machine itself as it is going to be highly optimized by the vendor.

On a Suricata/Snort deployment, you're likely making a machine from scratch. This enables you to do whatever you want to do on that same box. One of the things I did when I was securing and deploying Asterisk PBXs was, using expect, shell, perl and others to do all sorts of cool things. Things I could never do on say Cisco Call Manager, Avaya, etc.

So what I would do would be strip down OSSIM (now Alienvault) using OSSEC, p0f and other tools, I would have it do some nifty automation. For example, on the PBXs I would make triggers to be detected by Snort. If a trigger occurred, I could then (on the same system) run any application I had including the ones I would make on my own. This allowed me to do some really cool things for the hacker factor. Because in this environment (VoIP) there really isn't any kind of Toll/VoIP based IDS/IPS, I made my own (VTIPS http://www.infiltrated.net/asterisk-ips.html).

So don't get me wrong, I love open source based tools, they have their place however, it all boils down to the environment you're in, your management, etc.